Computing Time for Crime

Bret McDanel was convicted in 2002 and served 16 months in pris­on for violating the Computer Fraud and Abuse Act. But after serving his sentence, the government decided that his prosecution had been a mistake, and moved to vacate the conviction.

In a brief filed in the 9th U.S. Circuit Court of Appeals, Justice Department lawyers wrote they first believed prosecuting McDanel, a computer expert, involved “a proper, good-faith construction of the statute.” But McDanel’s attorney persuaded them that the very statute was the problem.

“This goes beyond any normal overzealousness by prosecutors,” says Jennifer Granick, executive director of the Center for Internet and Society at Stanford University. “The law is so vague that it covers any interaction that one computer user doesn’t want.”

Passed in 1984 and amended several times, including by the USA Patriot Act in 2001, the CFAA looms large in the Internet era. But its terminology may be too vague. For example, says Granick, the statute describes “unauthorized access” as “intentionally access[ing] a computer without authorization,” which could be interpreted as any interaction between two computers.

Many say that in its zeal to do something about the rising problem of illegal hacking into protected computer systems, Congress made it too easy to convict. “Since there are very few successful prosecutions, it creates the impetus in Congress to boost the punishment,” says professor Orin Kerr of George Washington University Law School.

McDanel was charged with violating a CFAA section that prohibits transmission of code, programs or information with the intent to cause damage to a protected computer. It’s usually interpreted to cover malicious code like computer viruses. He had sent so many e-mails to his former employer that its computer systems crashed. Granick argued that McDanel’s e-mails weren’t malicious code, but instead were an attempt to force his ex-employer to address a security hole in its software.

Court Comprehension Criticized

Another problem, say critics, is that crimes like hacking and virus writing are so technically complex that many courts struggle to understand them.

The result, they say, is that courts have been widely inconsistent, sentencing some techies like McDanel to hefty punishment for minor activity, while handing others light sentences for more consequential crimes.

In 2003, for example, virus writer Jeffrey Lee Parson pleaded guilty to unleashing part of the MSBlast worm that attacked millions of Internet users. He was sentenced to between 18 and 37 months. By contrast, the average sentence in 2002 for auto theft was 47 months.

Those inconsistent sentences often reflect a court’s inability to comprehend the full extent of a hacker’s activities, observers say. “With some of the high-profile hackers, the course of conduct often tends to be extreme, but in the end they’re often charged with just a snippet of their activities,” says Washington, D.C., attorney Marc Zwillinger, formerly of the Justice Department’s Computer Crime and Intellectual Property Section, part of the Criminal Division.

Another problem is damages, which the CFAA defines as “impairment to the integrity or availability of data.” That’s far too broad, says Granick.

For example, in 1999, when computer hacker Kevin Mitnick went to jail for violating the CFAA, one of his victims, Sun Microsystems, put the value of computer code Mitnick stole at $80 million. A few years later, Sun gave away the same code for free under a new licensing agreement.

Zwillinger, who says the issue of computer crime sentencing is overblown, adds that courts can rely on outside experts to assess damages. “That’s where damage experts make their money,” he says.

“It’s clearly the most complicated solution, but I think they do a fairly good job.”